August 2013 archive

TDYR #031 – At 10 Years Old, Skype Has Disrupted Telecom, But Can It Stay Relevant?

Skype turns 10 today and while Skype has massively disrupted telecom, can it remain relevant? Will it be disrupted as well? Read the accompanying article at: http://www.disruptivetelephony.com/2013/08/10-years-of-skype-massive-disruption-but-will-skype-remain-relevant.html

TDYR #030 – On The 50th Anniversary Of MLK’s “I Have A Dream” Speech

On this 50th anniversary of Martin Luther King, Jr's "I Have A Dream" speech (August 28, 2013), I spoke about how the power of that speech still gives me chills... and encouraged listeners to go take a listen: Speech: http://www.youtube.com/watch?v=smEqnnklfYs Text: http://www.archives.gov/press/exhibits/dream-speech.pdf

Call for Speakers For DNSSEC Workshop at ICANN 48 in Buenos Aires

icann48Will you be attending the ICANN 48 meeting in Buenos Aires, Argentina, in November 2013?  If so, are you interested in speaking about DNSSEC at the DNSSEC Workshop planned for Wednesday, November 20, 2013?

The DNSSEC Workshop program committee, of which I am a member, is seeking speakers for sessions on:

  • DNSSEC activities in Latin America
  • The operational realities of running DNSSEC
  • DNSSEC and enterprise activities
  • When unexpected events occur
  • Preparing for root key rollover
  • DANE and other DNSSEC applications
  • DNSSEC automation
  • Guidance for registrars in implementing DNSSEC
  • APIs between registrars and DNS hosting operators

In this session, we are particularly interested in hearing from people who have found (or developed) solutions for automating their implementation of DNSSEC.  We are also very interested in hearing from registrars given that the 2013 Registrar Accreditation Agreement (RAA) with ICANN will require ICANN-accredited registrars to at the very least support the acceptance of DNSSEC records from registrants.

The full “Call for Participation” is below that provides more details.  If you have an idea for a presentation, please send a brief 1 or 2 sentence description to dnssec-buenosaires@shinkuro.com which will reach the whole program committee. (Please send email rather than leave a comment here.)

We already have some solid speakers who have indicated their interest and so we’re very much looking forward to another excellent session.  I’ll also note that the ICANN meetings are free to attend – you have to register but there is no cost. You just have to pay for your travel and expenses to get to Buenos Aires.   The DNSSEC Workshop will also be streamed live over the Internet for those wishing to watch/listen and will be archived for later viewing.

These workshops are really excellent technical sessions. I would encourage you to attend if at all possible and I would definitely encourage you to submit a proposal to speak.  We’re always interested in hearing new perspectives.


Call for Participation — ICANN DNSSEC Workshop 20 November 2013

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), is planning a DNSSEC Workshop at the ICANN meeting in Buenos Aires, Argentina on 20 November 2013. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Durban, South Africa on 17 July 2013. The presentations and transcripts are available at: http://durban47.icann.org/node/39749.

We are seeking presentations on the following topics:

1. DNSSEC Activities in Latin America:
For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Latin America, but also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implement DNSSEC or not?

2. The Operational Realities of Running DNSSEC
Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What’s best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

3. DNSSEC and Enterprise Activities
DNSSEC has always been seen as a huge benefit to organizations looking to protect their identity and security on the Web. Large enterprises are an obvious target for DNS hackers and DNSSEC provides an ideal solution to this challenge. This session aims to look at the benefits and challenges of deploying DNSSEC for major enterprises. Topics for discussion:
* What is the current status of DNSSEC deployment among enterprises?
* What plans do the major enterprises have for their DNSSEC roadmaps?
* What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
* What are the challenges to deployment for these organizations? Do they foresee raising awareness of DNSSEC with their customers?

4. When Unexpected DNSSEC Events Occur
What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

5. Preparing for Root Key Rollover
For this topic we are seeking input on issues relating to root key rollover. In particular, we are seeking comments from vendors, ISPs, and the community that will be affected by distribution of new root keys.

6. DANE and Other DNSSEC Applications
The DNS-based Authentication of Named Entitites (DANE) protocol is an exciting development where DNSSEC can be used to provide a strong additional trust layer for traditional SSL/TLS certificates. There is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:
* What are some of the new and innovative uses of DANE in new areas or industries?
* What tools and services are now available that can support DANE usage?
* How soon could DANE become a deployable reality?
* How can the industry used DANE as a mechanism for creating a more secure Internet?

7. DNSSEC Automation:
For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. Topics for which we would like to see presentations include:
* What tools, systems and services are available to help automate DNSSEC key management?
* Can you provide an analysis of current tools/services and identify gaps?
* Where in the various pieces that make up DNSSEC signing and validation are the best opportunities for automation?
* What are the costs and benefits of different approaches to automation?

8. Guidance for Registrars in Supporting DNSSEC:
The 2013 Registrar Accreditation Agreement (RAA) for Registrars and Resellers requires the support of DNSSEC beginning on January 1, 2014. We are seeking presentations discussing:
* What are the specific technical requirements of the RAA and how can registrars meet those requirements?
* What tools and systems are available for registrars that include DNSSEC support?
* What information do registrars need to provide to resellers and ultimately customers?

We are particularly interested in hearing from registrars who have signed the 2013 RAA and have either already implemented DNSSEC support or have a plan for doing so.

9. APIs Between the Registrars and DNS Hosting Operators:
One specific area that has been identified as needing focus is the communication between registrars and DNS hosting operators, specifically when these functions are provided by different entities. Right now the communication, such as the transfer of a DS record, occurs primarily by way of the domain name holder copying and pasting information from one web interface to another. How can this be automated? We would welcome presentations by either registrars or DNS hosting operators who have implemented APIs for the communication of DNSSEC information – or from people with ideas around how such APIs could be constructed.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence)
description of your proposed presentation to dnssec-buenosaires@shinkuro.com by **Friday, 06 September 2013**

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Steve Crocker, Shinkuro
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Russ Mundy, Sparta/Parsons
Ondřej Surý, CZ.NIC
Lance Wolak, .ORG, The Public Interest Registry
Yoshiro Yoneya, JPRS
Dan York, Internet Society

TeleGeography’s Interactive Submarine Cable Map Is a Fun and Fascinating View Into Infrastructure (Featured Blog)

Ever want to know where all the submarine cables are that provide part of the physical infrastructure of the Internet? Or which cities in the world have the most connectivity via submarine cables? (or which regions might be single points of failure?) In doing some research I stumbled across this excellent site from the folks at TeleGeography... It is a very well done and captivating (to me, anyway) view into where all the current and planned submarine cables are located. More...

TeleGeography’s Interactive Submarine Cable Map Is A Fun And Fascinating View Into Infrastructure (Featured Blog)

More...

FIR #718 – 8/26/13 – For Immediate Release

Melbourne Mandate interview now available, marketing automation interview coming, no FIR Live on Google and press releases, Neville's Bloggade wrap-up; Quick News: Volkswagen's #SmileDrive app, Ford and Boing Boing partner for a hackathon, HuffPo ends anonymous comments, upbeat content gets more traction; Ragan promo; News that Fits: catching up with Vine, Dan York's report, lessons for SEO and digital marketing, Media Monitoring Minute from CustomScoop, listener comments, MOOCs as a communication channel, why Ari Herzog killed 61 percent of his LinkedIn friends; how to comment; music from King Pug; and more.

Friday Humor: The Day The Routers Died

Yes, this video is almost 6 years old… but it’s still worth a laugh on a Friday afternoon!  If you haven’t ever listened to “The Day The Routers Died” performed at the RIPE 55 meeting by Gary Feldman, well… you owe yourself the chance to do so!  And if you have seen it… or were there … it’s a fun look back – many of the people visible are folks who are still very active today!

Note that the full lyrics are available on the YouTube page if you are interested.

(and now I’ve got that song stuck in my head!!!)

Test-ipv6.com Mirror Now Running In Slovenia

test-ipv6-slWe were pleased to recently learn from our own Jan Zorz that he is now hosting a Slovenian mirror of the test-ipv6.com site at:

http://test-ipv6.go6.si/

While located in Slovenia, the site is open to anyone to use to test your IPv6 connectivity.  It is part of the worldwide network of mirrors of test-ipv6.com that have been established.

Very cool to see… and if you, too, are interested in operating a mirror, either as an official or “unofficial” mirror, instructions can be found in the Test-ipv6.com wiki.

New USENIX Paper: Measuring the Practical Impact of DNSSEC Deployment

usenix-dnnsec-082013At the recent 22nd USENIX Security Symposium in Washington, DC, a paper was presented that is now available for download: Measuring the Practical Impact of DNSSEC Deployment, written by several researchers from the University of California along with security researcher Eric Rescorla.  Their work was to explore the cost vs benefit of deploying DNSSEC.  As they note in their abstract:

We have performed a large-scale measurement of the effects of DNSSEC on client name resolution using an ad network to collect results from over 500,000 geographically-distributed clients. Our findings corroborate those of previous researchers in showing that a relatively small fraction of users are protected by DNSSEC-validating resolvers. And we show, for the first time, that enabling DNSSEC measurably increases end-to-end resolution failures. For every 10 clients that are protected from DNS tampering when a domain deploys DNSSEC, approximately one ordinary client (primarily in Asia) becomes unable to access the domain.

They go on to provide a background of DNS and DNSSEC, explain their methodology and systems and then outline their results.  To perform their tests, they used web-based ads in what seems like a method similar to what Geoff Huston and George Michaelson have been doing at APNIC. (I have not specifically compared the two methodologies, but both are using web-based ads.)

The paper reaches several interesting conclusions.  First, they found that DNSSEC validation was performed by about 2.6% of users out there. Second, they found that about 1% of clients failed to retrieve a validly DNSSEC-signed resource – and that this was primarily from clients in the Asia Pacific region and was related to DNS resolution falling back to TCP to accommodate larger packet sizes.

The full document is definitely worth a read as there is a wealth of information and also links out to other studies and surveys.  They also include some good cautions in there for people undertaking similar advertising-based studies.

My one question about the study was when the measurements were taken and whether it was before or after Google enabled DNSSEC validation on their Public DNS servers back in May.  I couldn’t find the timeframe in the study, but that could be important, as Geoff Huston’s latest measurements showed a jump in DNSSEC validation from 3.3% to 8.1% after Google made their change.

Regardless, it’s great to see these kind of studies out there and I look forward to reading any further research the team may perform in this area.

TDYR #029 – Leaving The Internet To Speak French For A Week

TDYR #029 - Leaving The Internet To Speak French For A Week by Dan York